Grain Overlay
March 11, 2025

Glossary for ISMS & BCMS

Glossary for ISMS & BCMS

Information security (IS) and business continuity (BC) are two essential management systems in today's networked world. In order to minimize risks, ensure business continuity and effectively manage emergencies and crises, institutions, companies or authorities need resilient IT, infrastructure, systems, but also aware employees. In this context, it is important to speak a common language, to use a common literature. With this glossary you can get a compact overview of the most important terms in these areas that you should know! Reading time 7 minutescompiled by: Ayhan Dagli

Table of Contents

Information security management system (ISMS)

Attack:

An attack is a deliberate form of endangerment, namely an unwanted or unauthorized act with the aim of gaining an advantage or harming a third party. An attack can also be carried out on behalf of a third party who wants to gain an advantage.

Attack vector:

An attack vector is the combination of attack path and technique used by an attacker to gain access to IT systems.

Assets:

Assets are stocks of objects that are required for a specific purpose, particularly to achieve business objectives. The English term "asset" is often translated as "value". In German, however, value is a term with many meanings, from the social significance of something to the intrinsic quality of an object. In IT-Grundschutz, the term "assets" is used in the sense of "valuable or valuable target objects".

Basic protection:

A term from the BSI IT baseline protection.

The basic protection procedure checks compliance with the basic requirements of IT baseline protection. As an introduction to IT baseline protection, basic protection enables a broad, fundamental initial protection to be carried out across all of a company's business processes and specialist procedures.

Basic requirement:

A term from the BSI IT baseline protection. The basic requirements serve as a simplified introduction to information security management. This is the basic initial protection of business processes and resources. In the basic protection procedure, only the fulfillment of the basic requirements is checked.

Threat:

A threat is generally a circumstance or event that can cause damage. Examples of threats are force majeure, human error, technical failure or intentional acts. If a threat encounters a weak point (in particular technical or organizational deficiencies), a hazard arises.

Danger:

Danger is often seen as an overarching term, whereas hazard is understood as a more precisely described danger (defined in terms of type, size and direction in terms of space and time). An example of a hazard is data loss. Data loss can be caused by a defective hard disk or people stealing the hard disk.Definition of the BBK: Condition, circumstance or process that can cause damage to a protected good.

Hazard:

A hazard is a threat that has a concrete effect on an object via a vulnerability. A threat therefore only becomes a danger to an object through an existing vulnerability.Definition of the BBK: The possibility that a hazard at a specific location will result in an event of a certain intensity that may cause damage to a protected asset.

Scope of application:

see information network

Information Security (IS):

The aim of information security is to protect information. Information can be stored on paper, in IT systems or even in people's heads. The protection goals or basic values of information security are confidentiality, integrity and availability. Many users include other basic values in their considerations. Information security is more than just IT security.

Information Security Officer (ISB):

A person with expertise in information security in a staff unit of an institution who is responsible for all aspects of information security. The role of the person responsible for information security is called differently depending on the type and orientation of the company, e.g. Chief Information Security Officer (CISO), Chief Security Officer (CSO), Information Security Officer (ISO), Information Security Manager (ISM) or IT Security Officer (IT-SiBe)

Information security management (IS management):

The planning, management and control task required to establish and continuously implement a well thought-out and effective process for establishing information security is referred to as information security management. This is a continuous process whose strategies and concepts must be constantly reviewed for their efficiency and effectiveness and updated as necessary.

information security management system (ISMS):

An ISMS includes the definition of procedures and rules within an organization that serve to permanently define, control, monitor, maintain and continuously improve information security.

Information Security Management Team (IS Management Team):

The IS management team is a unit that makes sense to set up in large organizations and institutions. The team supports the CISO by coordinating overarching measures in the overall organization, compiling information and carrying out control tasks.

Information network:

Scope of a security concept that has a reasonable minimum size within an institution and is clearly distinguishable from other information networks. An information network comprises the entirety of infrastructural, organizational, personnel and technical components that serve to perform tasks in a specific area of information processing.

Core protection:

A term from the BSI IT baseline protection. Core protection initially focuses on the business processes and assets (crown jewels) that are particularly at risk.

IT security:

IT security describes the protection of the IT infrastructure, for example servers, networks, end devices, operating systems and applications.

(adjusted) network:

A term from the BSI IT baseline protection.

A network diagram is a graphical overview of the components of a network and their connections. A cleansed network diagram can be used to quickly show third parties the business process and IT structures within the institution, as the level of detail is reduced to the necessary level in a cleansed network diagram. A cleansed network diagram is also a useful basis for certification.

Guideline on information security:

The guideline is a central document for the information security of an organization. It describes for which purposes, with which means and with which structures information security is to be established within the organization. It contains the information security objectives pursued by the organization as well as the security strategy pursued. The security guideline thus also describes the desired level of security in an authority or company via the security objectives.

Ransomware:

Ransomware refers to malware that restricts or prevents access to data and systems and only releases these resources again against payment of a ransom. This is an attack on the security objective of availability and a form of digital blackmail.

Resilience:

In this context, the term refers to the resilience of IT systems against security incidents or attacks. The resilience of systems results from a complex interplay of organizational and technical preventive measures such as specialist personnel, IT security budget, available technical infrastructures or similar.

Risk:

Risk is often defined as the combination (i.e. the product) of the frequency with which a loss occurs and the extent of this loss. The loss is often presented as the difference between a planned and unplanned result. Risk is a special form of uncertainty or rather imponderability.

Risk management:

Risk management refers to all activities relating to the strategic and operational handling of risks, i.e. all activities to identify, manage and control risks for an institution. Risk management includes

  • Identification of risks,
  • Assessment and evaluation of risks,
  • Treatment of risks,
  • Monitoring of risks and
  • Risk communication.

Vulnerability:

A vulnerability or security gap is usually an error or weakness, e.g. in an application or system, which can be misused for unwanted or malicious actions.

Protection requirements:

The protection requirement describes what protection is sufficient and appropriate for the business processes, the information processed and the information technology used.

Protection goals:

Confidentiality

Confidentiality is the protection against unauthorized disclosure of information. Confidential data and information may only be accessible to authorized persons in the permitted manner.

Integrity

Integrity refers to ensuring the correctness (intactness) of data and the correct functioning of systems. When the term integrity is applied to "data", it means that the data is complete and unchanged. In information technology, however, it is usually defined more broadly and applied to "information". The term "information" is used for "data" which, depending on the context, can be assigned certain attributes such as authorship or time of creation. The loss of integrity of information can therefore mean that it has been altered without authorization, details of the author have been falsified or the time of creation has been manipulated.

Availability

The availability of services, functions of an IT system, IT applications or IT networks or even information is ensured if these can always be used by users as intended.

Authenticity

Authenticity refers to both proof of identity and the authenticity of the data itself. It describes the ability of an entity (e.g. a person, a system or a message) to be identified as genuine and trustworthy. This protection objective is generally regarded as a component of integrity.

Security measure:

A security measure (measure for short) refers to all actions that serve to control and counteract security risks. This includes organizational as well as personnel, technical or infrastructural security measures. Security measures serve to fulfill security requirements.

Social engineering:

In cyber attacks using social engineering, criminals try to trick their victims into disclosing data on their own, bypassing protective measures or installing malware on their systems themselves. In both cybercrime and espionage, attackers use clever methods to exploit supposed human weaknesses such as curiosity or fear in order to gain access to sensitive data and information.

Standard coverage:

A term from the BSI IT baseline protection. Standard protection essentially corresponds to the classic IT baseline protection approach of BSI Standard 100-2. With standard protection, the ISB can protect the assets and processes of an institution both comprehensively and in depth.

TOM:

Technical and organizational measures (TOM) are measures taken by organizations to ensure the security and protection of personal data in accordance with the GDPR.

Certification:

Certification is a method of verifying the achievement of safety objectives and the implementation of safety measures by qualified independent bodies.

Target object:

A term from the BSI IT-Grundschutz. Target objects are parts of the information network to which one or more modules from the IT-Grundschutz compendium can be assigned during modeling. Target objects can be physical objects, e.g. IT systems. However, target objects are often logical objects, such as organizational units, applications or the entire information network.

Business Continuity Management System (BCMS)

General organizational structure (AAO):

Permanent form of organization in which the daily tasks of an institution are structured according to the following criteria:

  • hierarchical structure
  • Responsibilities

Communication and decision-making channels

Audit and revision:

The meaning of the terms "Audit" and "Revision" is understood differently. The BSI standard 200-4 uses these terms as follows:

A Audit tests against a standard for the purpose of certification and is therefore usually carried out by external parties.

One Revision also deals with a specific area with a defined procedure. However, the aim of an audit is not certification, but the identification of weaknesses, deficiencies and recommendations for action. Audits are categorized as follows:

  • An external audit is carried out by external parties.
  • An internal audit is carried out by the institution's own employees.

Business Continuity Management System (BCMS):

Structures, rules and organization within an institution in order to achieve an orderly continuation of business after loss events in the institution.

BC concept / emergency concept:

It includes an emergency preparedness concept and an emergency manual.

Special organizational structure (BAO):

Temporary form of organization for extensive and complex tasks, especially for measures for special occasions that cannot be handled within the framework of the AAO. In this form of organization, temporary responsibilities, hierarchies and communication and decision-making channels apply that deviate from normal operations.

Business Impact Analysis (BIA):

Structured investigation with the aim of identifying (time) critical business processes and resources (assets). To this end, the direct and indirect potential consequential losses for the institution caused by the failure of business processes are determined. The requirements for restarting business processes are derived from this.

Business continuation plan (CFP):

Plan that documents how an institution reacts at the process level to a business interruption following a resource failure. CFP is based on the process level.

Parameters:

MTPD (Maximum Tolerable Period of Disruption) / MAO (Maximum Acceptable Outage) / MTA (Maximum Tolerable Downtime)

Maximum time limit up to which a business process may fail before intolerable effects occur for an institution. The upper limit is determined on the basis of a damage assessment of the business process in question.

RPA (Recovery Point Actual / actual expected data loss)

Actual, expected data loss in the event of a loss event. The RPA is usually specified as the actual data backup cycle per application, IT system or business process

RPO (Recovery Point Objective) / MDL (Maximum Data Loss) / Maximum Tolerable Data Loss)

Value for the maximum age that available data may have in order to be able to operate time-critical business processes after an interruption.

RTA (Recovery Time Actual / Actual Restart Time (WAZ))

Actual restart time, actual RTA describes the time from when the emergency is declared to when the emergency solution is actually put into operation, e.g. by switching to an alternative or replacement resource. The RTA can be determined and verified during exercises and tests.

RTO (Recovery Time Objective / Required Restart Time (WAZ))

Required restart time, required WAZ describes the period from the time the emergency is declared until the time the emergency solution is put into operation as required, e.g. by switching to an alternative or replacement resource. RTO / WAZ should be less than MTPD / MTA.

Crisis:

A crisis is defined as a damaging event that has a massive negative impact on the institution and whose effects on the institution cannot be overcome during normal operations.

In contrast to an emergency, however, there are no specific emergency plans for dealing with a crisis, existing emergency plans cannot be adapted or can only be adapted to a limited extent or are simply not effective. Within the institution, the crisis is managed by measures initiated by the BAO. Crises can occur immediately or escalate from a disruption or emergency.

Definition of the BBK: A situation deviating from the normal state with the potential for or with already occurred damage to protected goods, which can no longer be managed with the normal organizational structure and process organization, so that a special organizational structure (BAO) is required.

Guideline on BCMS:

The BCMS guideline defines objectives and general requirements for the BCMS at the strategic level. This guideline thus provides the binding framework and mandate for all further BCMS activities and documentation. It describes why and under what conditions the BCMS is set up and operated, as well as the general objectives for the BCM.

Emergency operation:

Business operations that take place after a loss event, possibly with restrictions, which ensure the necessary and time-critical functions of the affected business processes.

Emergency operating level:

The minimum business continuity objective (MBCO) defines how efficient the emergency operation should be in order to ensure meaningful business operations. The performance of the emergency operation can be specified as a percentage, for example, or alternatively activities can be prioritized.

Emergency:

Emergencies are interruptions to business operations that affect at least one time-critical business process that cannot be restored during normal operation within the maximum tolerable downtime.

In contrast to disruptions, a special organizational structure (BAO) is required to deal with emergencies. In contrast to a crisis, suitable plans are available for dealing with emergencies or existing plans can be adapted. Emergencies can also occur before the damaging event leads to an interruption of business operations. All that is required is the risk that business operations could be interrupted by the damaging event.

Definition of the BBK: A situation with the potential for or already occurring damage to protected assets that may require state-organized assistance in addition to self-help measures by individuals.

Emergency response:

All internal activities within the institution that serve to ensure that, after the occurrence of an emergency

  • to go into emergency mode,
  • maintain emergency operations and
  • to return to normal operation.

Emergency manual:

Document containing all the information required for emergency management. The document includes, for example, all emergency plans, the staff's rules of procedure and the communication concept.

Emergency measures:

All measures that are developed preventively and implemented when an emergency occurs in order to limit the damage and continue business processes.

This includes all measures for restarting and continuing business as well as all immediate measures.

Emergency preparedness:

All preventive measures and procedures carried out before the occurrence of a loss event.

Definition of the BBK: Sum of all measures aimed at the time after the occurrence of an emergency, but which are taken beforehand. Emergency preparedness as a generic term also includes emergency planning and other measures to be taken in the run-up to an emergency.

Emergency preparedness concept:

The emergency preparedness concept contains a description of all organizational and conceptual aspects of the BCMS as well as regulations and specifications for individual BCM process steps.

NuK (emergency and crisis communication):

Activities that are carried out before or during a crisis or emergency and, if necessary, after it has been dealt with, in order to collect and verify relevant information and distribute it to internal and external target groups.

For emergency and crisis communication, appropriate concepts for dealing with the various interest groups, e.g. employees and the media, are developed in advance. If necessary, these concepts are adapted and continuously revised as part of the management process.

Definition of the BBK: Crisis communication:Exchange of information and opinions during a crisis to prevent or limit damage to a protected asset.

Organizational unit (OU):

Logical unit of an institution, e.g. a location, a department or a specialist area

Resource:

All physical and digital assets that are required to carry out business processes. Assets in the business sense are, for example, personnel, IT systems, buildings, service companies, machines or operating resources.

Damage:

Damage is any material or immaterial disadvantage suffered by a person or thing as a result of an event.

Definition of the BBK: Negatively assessed impact of an event on a protected resource.

Damage event:

Incident that leads to a deviation from an expected result.

Definition of the BBK: Coincidence of danger and protected good with the occurrence of damage.

Protected good:

Definition of the BBK: Anything that is to be protected from damage due to its non-material or material value.

Malfunction:

A disruption is a situation in which processes or resources are not available as intended. Disruptions are usually rectified within normal operations by the institution's general organizational structure (GOS).

Existing processes for troubleshooting or incident management are used for this purpose. However, faults can escalate into an emergency.

Restart plan (WAP):

Documentation that describes how an institution can compensate for lost resources, e.g. by implementing emergency solutions or substitute solutions. The aim of compensation is to ensure emergency operations that guarantee business continuity. WAP is based on the resource level.

Recovery Plan (WHP):

Documentation that describes how failed resources can be restored to normal operation. WHP is based on resource level.

Time-critical:

Classification for all business processes or resources whose failure within a specified period of time could lead to unacceptable damage for an institution, possibly threatening its existence.

The classification of resources is derived from the classification of the business processes that require the respective resources.

Sources

The following sources were used in the preparation of this article:

  • BSI Standard 200-2 IT-Grundschutz methodology
  • BSI-The Situation Report IT Security in Germany 2024
  • BSI IT baseline protection compendium
  • BSI Standard 200-4 Business Continuity Management (BCM)
  • Glossary for BSI Standard 200-4
  • Glossary of the Federal Office of Civil Protection and Disaster Assistance (BBK)
  • https://wiki.isms-ratgeber.info/wiki/Abk%C3%BCrzungen
  • https://www.pd-g.de/assets/Aktuell-im-Fokus/Informationssicherheit/240904_Informationssicherheit_Glossar.pdf